Robert Mayer

A Cybersecurity Message to Congress: Size Matters

In today’s hyper-connected digital economy, an organization’s value is often determined by its ability to manage and protect information that it collects, stores and moves across internal and external networks. When these highly-prized digital assets are stolen, or when the systems that manage their use are compromised, companies can face immeasurable harm. The ability to mitigate such risk in a cost-effective manner may be one of the most pressing challenges that organizations face today, and this is especially the case for small and mid-size businesses.

A survey of this sub-segment conducted last year by the renowned Ponemon Institute found a majority of respondents are concerned that cyber-attacks against their companies are becoming more targeted, sophisticated and severe. A major cause for concern is that only 14 percent of respondents rate their organization as “effective” at mitigating risks, vulnerabilities and attacks against their businesses.

Last week I had an opportunity to brief members of the House Committee on Science, Space, and Technology in a closed session focused on the unique circumstances that impact small and mid-sized business. I noted that smaller companies are now confronting many of the same sophisticated threats that much larger enterprises face, but without the resources that come with large economies of scale and scope. Ransomware is just one example of how criminal enterprises are expanding their targets at minimal cost. For example, Ransomware as a Service (RaaS) can now be purchased on the Internet’s Dark Web, with some services promising to deliver ransom e-mails in 30 different languages.

Prescriptive regulation will not keep up with the techniques and tools used by bad actors, and that only a concerted and collaborative effort by government and industry to provide assistance and guidance, where appropriate, will work. During the event, I applauded the lawmakers for supporting legislation that would have the National Institute of Standards and Technology (NIST) focus resources on helping small and mid-sized businesses better manage (though not eliminate) their cybersecurity risk and to fund efforts, like the Department of Homeland Security’s (DHS) effort to provide cybersecurity assessments and advice to critical infrastructure entities.

I shared the importance of the landmark work that USTelecom co-led with the Federal Communications Commission’s Communications Security Reliability and Interoperability Council (CSRIC) to adapt the NIST Cybersecurity Framework to the broadcast, cable, satellite, wireless and wireline industry segments. In that year-long effort, which involved more than 100 cybersecurity professionals, a report with guidance for small and medium sized companies was developed.

USTelecom continues to actively support the small and mid-sized broadband service providers with cybersecurity risk management. We have recently formed a new Small and Mid-Company Cybersecurity Committee designed to share information about network and enterprise cyber threats and mitigation techniques with our members. The group will also examine tools and common practices that have been shown to be cost-effective and share lessons-learned on core risk management functions such as: identifying, preventing, detecting, responding and recovering from cyber-attacks.

As part of Cybersecurity Awareness Month, we released an updated Cybersecurity Toolkit which also includes specific guidance for this segment of the digital ecosystem. The online toolkit provides guidance developed for the small and mid-sized community by the Small Business Association Administration, the FCC, the Federal Trade Commission and others. We are hopeful USTelecom’s leadership in the cybersecurity ecosystem, our collaborative efforts with industry and government, and the continued development of tools and resources, will help allay the concerns of many smaller companies.